pf, ssh related question
krad
kraduk at googlemail.com
Sat Oct 17 12:04:03 UTC 2009
Theoretically if you sent a syn packet from the same source port at
tne same time as you reloaded the rules you coyld get around it.
However the practicalities of this make it not worth the hassle,
especially if you dont control the firewall yiur traversing through
the client end. Best to live with it
On 10/17/09, Dánielisz László <laszlo_danielisz at yahoo.com> wrote:
> Hello,
>
> I have the following annoying thing: all the time I runpfctl -F all -f
> /etc/pf.conf I got disconnected from my remote machine.
> Do you have any idea how can I avoid this?
>
> Here is my pf.conf
>
>
> #MACROS
> ext_if="rl0"
> int_if="rl1"
> good_ip="{192.168.1.0/24}"
> icmp_types="echoreq"
>
> set skip on lo
>
> scrub in
>
> block in
> pass out keep state
>
> antispoof quick for { lo $int_if }
>
> #incoming ssh
> pass in log quick on $int_if inet proto tcp from $good_ip to ($int_if) port
> 22 flags S/SA keep state
>
> #incoming http
> pass in log quick on $int_if inet proto tcp from $good_ip to ($int_if) port
> 80 flags S/SA keep state
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
--
Sent from my mobile device
More information about the freebsd-questions
mailing list